Sensitive and Restricted DataLast updated: April 28, 2015
This guide is not intended to serve as official policy, but as a resource to aid Trinity College of Arts & Sciences webmasters and content owners using Trinity Technology Services (TTS) supported websites. Web content owners and editors should familiarize themselves with university policies regarding sensitive and restricted data to ensure that all applicable Duke University policy, as well as state and federal laws, are followed.
What is Sensitive Data?
Sensitive data is data that Duke is either required by law to protect, or which Duke protects to mitigate institutional risk. Explicit institutional approval is needed in order to receive access to sensitive data. The following are all examples of sensitive data:
- Social Security Numbers
- Credit Card numbers
- Protected Health Information
- FERPA-protected data
What sensitive data may be stored on public-facing TTS supported websites?
No data that falls into the sensitive data category may be stored on public-facing TTS supported websites. For information about proper handling and storage of data that falls into this category please see the IT Security Office’s Policies & Procedures.
What is Restricted Data?
Restricted data is data that is not necessarily for public consumption, but does not fall into the sensitive category. Duke may have a proprietary obligation to protect restricted data, but disclosure would not significantly harm the university. Access to restricted data elements is determined by business process needs. The following are examples of restricted data:
- Unpublished papers/papers in progress
- Copyrighted material
- Compliance information
- Assessment/evaluation information
What restricted data may be stored on public-facing TTS supported websites?
We strongly encourage that no restricted data be stored on TTS supported websites, whether or not access controls have been put in place. Placing sensitive data on a public-facing site:
- Unnecessarily increases the complexity of the website’s security model;
- Increases the risk of the restricted data being compromised;
- In the event the restricted data is compromised there is potential that the entire site, not just the restricted data, would be taken off-line while the damage is assessed.
Resources for proper storage of restricted data
There are several services at Duke which have been engineered and created specifically with data protection in mind. These include:
- Sakai - https://sakai.duke.edu/
- Duke Wiki (Confluence) - https://wiki.duke.edu/
- Sharepoint - http://oit.duke.edu/enterprise/sharepoint/
- Box - http://oit.duke.edu/comp-print/storage/box/
Trinity Technology Services can help direct and advise on the appropriate service to leverage for the storage and serving of restricted data.